Posted on 07-14-2016 12:20 PM
Is it possible to rename a Mac while it's already bound to AD?
We have a particular naming scheme we follow and have been told it needs to change. All of our Macs are in AD so it would be nice if we could rename them without the steps to unbind, rename, and then rebind.
Posted on 07-14-2016 12:26 PM
Do you mean just make sure it has the proper the hostname, computer name, etc? You can use scutil for that. Here is an example of how we add a prefix, or make sure a mac has the proper prefix based on location:
#!/bin/sh
prefix="NYC"
serial=`system_profiler SPHardwareDataType | awk '/Serial Number/ { print $4 }'`
scutil --set ComputerName "${prefix}${serial}"
scutil --set HostName "${prefix}${serial}"
scutil --set LocalHostName "${prefix}${serial}"
jamf recon
That usually does the trick for us and has worked well. Hopefully it helps you out.
Posted on 07-14-2016 12:31 PM
Thanks and sorry, I should have explained better...
I've actually seen here on jamfnation those very lines. What I wasn't clear on was to whether it was safe to rename a Mac while it's bound to AD and whether the name being changed while being bound would be reflected in AD.
I was planning to test this myself but I thought I would throw the question out there to see if anyone might have tried this and ran into any problems already.
Posted on 07-14-2016 12:39 PM
The process above by @perrycj will just rename in on the MAC OS level. To change it in AD and MAC OS the following script will work.
ComputerName=$(/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog inputbox --title "Rename Computer" --informative-text "Enter Computer Name" --button1 "Rename" --button2 "Cancel")
result=$(echo $ComputerName | sed -e 's/1 //g')
if [ $result == 2 ]
then
exit 0
else
#Change computer name, local hostname, and hostname with user provided input. /usr/sbin/scutil --set ComputerName "$result" /usr/sbin/scutil --set HostName "$result" /usr/sbin/scutil --set LocalHostName "$result"
#Run an inventory update to reflect name change in the JSS. /usr/local/jamf/bin/jamf recon
#Force unbind to Active Directory /usr/sbin/dsconfigad -force -remove -u noaccountneeded -p nopasswordneeded
#Rebind to Active Directory assuming you have a directory binding in your JSS /usr/local/jamf/bin/jamf policy -event rebind
fi
exit 0
Posted on 07-14-2016 02:16 PM
@jhuls Oh ok gotcha. Yea I thought you just meant changing the computer name on the Macs themselves.
In order for the object name to reflect the change, then yes you would have to unbind and rebind. Otherwise, AD thinks the current binding object name is still valid and will keep it in the AD back end.
Posted on 07-14-2016 02:26 PM
We had an issue where a lot of Macs were bound to AD with a name that didn't match the ComputerName
. We were looking at correcting the issue, but after we pulled a report and saw how many computers were effected, we backed out.
We still get asked to produce reports, so created an EA to flag Match
or Mismatch
. I guess at some point this might be brought back to the front burner.
In case this is helpful...
#!/bin/sh
COMPUTERNAME="`scutil --get ComputerName`"
ADNAME="`dsconfigad -show | grep "Computer Account" | awk '{print $4}' | cut -d '$' -f 1`"
if [ $COMPUTERNAME == $ADNAME ]; then
echo "<result>Match</result>"
else
echo "<result>Mismatch</result>"
fi
PS, forgot if we stole pieces of this from @mm2270 , or @stevewood, or someone else...LOL
HTH
Don
Posted on 07-15-2016 02:21 AM
The safest process is to unbind, rename the computer then rebind. That keeps everything nice and consistent. The AD object name does not update when the computer name changes.
Posted on 07-15-2016 06:53 AM
Keep in mind one tidbit of removing from AD with a bogus user/pass. It does not properly remove the computer from the AD list, possibly giving you two of the same machine, with each name before and after change.
Posted on 07-15-2016 07:25 AM
@franton wrote:
The safest process is to unbind, rename the computer then rebind. That keeps everything nice and consistent. The AD object name does not update when the computer name changes.
I agree, and in large environments where waterfall reports are used to reconcile things, having AD and JSS report different Computer Names for the same computer is not good.
@jjones wrote:
Keep in mind one tidbit of removing from AD with a bogus user/pass. It does not properly remove the computer from the AD list, possibly giving you two of the same machine, with each name before and after change.
We got scolded for forcing a computer to unbind from AD, since we tried to do the right thing and called in to get the object removed from AD. Since we haven't been able to "rejoin existing object" using JSS.
Don
Posted on 07-16-2016 12:03 PM
Thanks everybody...it's a bit disappointing to need to remove it from AD before renaming and then rebinding since if memory serves correctly, I could rename a Windows systems already joined to the domain. I guess that's what scripting is for but when we're dealing with systems in different OU's it adds to the overhead of doing what should seem like a simple job. The life of a Mac admin...sigh.
Posted on 07-16-2016 12:07 PM
Taken me long enough but finally found what I wrote to do all this!
#!/bin/bash
CD="/private/tmp/CocoaDialog.app/Contents/MacOS/CocoaDialog"
# Dialog to enter the computer name and the create $COMPUTERNAME variable
rv=($($CD standard-inputbox --title "Computer Name" --no-newline --informative-text "Enter the new name of the computer."))
COMPUTERNAME=${rv[1]}
# Dialog to show a please wait box while we work ...
rm -f /private/tmp/hpipe
mkfifo /private/tmp/hpipe
$CD progressbar --indeterminate --title "Renaming Computer" --width 250 --height 80 < /tmp/hpipe &
exec 3<> /tmp/hpipe
echo -n . >&3
# Unbind from AD here
dsconfigad -force -remove -username *replace* -password *replace*
# Set Hostname using variable created above
scutil --set HostName $COMPUTERNAME
scutil --set LocalHostName $COMPUTERNAME
scutil --set ComputerName $COMPUTERNAME
# Rebind to AD here
jamf bind -type ad
-domain ?.?
-username *replace*
-password *replace*
-ou "OU=Mac,OU=?,OU=?,OU=?,DC=*replace*,DC=*replace*"
-cache
-localHomes
-useUNCPath
-mountStyle SMB
-defaultShell /bin/bash
-adminGroups "domain admins,enterprise admins,domaingroup"
# All done, clean up after ourselves.
exec 3>&-
wait
rm -f /private/tmp/hpipe
# Dialog to confirm that the hostname was changed and what it was changed to.
tb=`$CD ok-msgbox --text "Computer Name Changed!"
--informative-text "The computer name has been changed to $COMPUTERNAME"
--no-newline --float`
if [ "$tb" == "1" ]; then
echo "Computer name changed"
elif [ "$tb" == "2" ]; then
echo "Canceling"
fi
# All done!
exit 0
Please note that you have to program in the OU details directly into the script. You will want to modify this to suit your own AD environment.
Posted on 07-18-2016 12:47 AM
It's rare for us here to have the wrong name, mainly if we do a HDD swap or something along those lines, so we just run the following commands through terminal -
sudo scutil --set ComputerName "newname" sudo scutil --set LocalHostName "newname" sudo scutil --set HostName "newname"
Posted on 07-24-2019 03:29 PM
@franton Since CocoaDialogue is depracated, is there another way now?
Posted on 09-25-2019 05:37 AM
Have any of you ran into 802.1x issues or issues with machine certs on the devices you have renamed? I found a couple test devices I renamed (before I found this post) still had a computer cert in the Keychain that had the old computer name. I ran into some issues with the machine authenticating to 802.1x with that cert.
Just wondering if anyone else ran into that issue or not. Thanks!
Posted on 04-17-2020 08:59 AM
@kevin.v I ended up switching from CocoaDialogue to Pashua since a 64bit version of CocoaDialogue to support macOS Catalina has not been released.
https://www.bluem.net/en/projects/pashua/
Not perfect and does not support progress bars but great for receiving input from end user with text field, drop down, radio button, etc. as well as displaying information.
Posted on 04-17-2020 09:04 AM
@bcbackes I have found you would have to get the certificate re-issued since the request was made with the previous name, certificate will not be removed but a new one needs to be requested/installed. The configuration profile that installed the AD certificate would need to be removed to delete the old cert or manually delete from the keychain.
Posted on 04-30-2020 11:37 AM
@donmontalvo I'm using your EA you have posted above to find mixmatch computer names. However, I found some devices are showing mixmatch even though they are spelled exactly the same. It appears it's case sensitive. The computer is all uppercase and AD has them as lowercase. Is there a way to modify the EA so it's not reporting back based on case sensitivity?
Thanks!
Posted on 05-01-2020 09:17 AM
@bcbackes You can convert your computer name to lowercase when you pull it:
COMPUTERNAME="`scutil --get ComputerName | awk '{print tolower($0)}'`"